<<< Date Index >>>     <<< Thread Index >>>

[Hat-Squad] GFI L.N.S.S 5.0 Insecure Credential Storage




February 28, 2005 
Hat-Squad Advisory: GFI L.N.S.S 5.0- Insecure Credential Storage

Product: GFI Languard Network Security Scanner 
Vendor Url: http://gfi.com/
Version: 5.0
Vulnerability: Insecure Credential Storage
Release Date: February 28, 2005 

Vendor Status: 
Informed on 22 February 2005
Response: 22 February 2005
 Released: 28 February 2005

Overview: 

GFI L.N.S.S is vulnerability scanner that helps administrators to identify 
security holes in their networked systems . This product has also a built-in 
patch management solution to deploy missing patches on detected vulnerable 
systems .
In order to remotely deploy patches, the user should provide enough credentials 
for the L.N.S.S to authenticate itself with remote system in order to install 
patches. An administrative level privilege is needed to install patches on 
remote systems.
As L.N.S.S is usually used in domain environments, the account prepared for 
L.N.S.S is usually a member of "Domain Admins" group or a similar high 
privileged group which have complete control over all members of domain. 
Product provided two options for privileged scanning and deployment "currently 
logged-on user" and "Alternative Credentials". Hopefully in order to save typos 
GFI save the entered password for you in "Alternative Credentials" mode there 
is also another option in L.N.S.S to save scan reports to a MS-SQL server . 
Here again you should provide and account on MS-SQL server for the application .
A weakness were discovered in this product that make it possible to dump the 
saved credentials INSTANTLY and without any offline attack to recover saved 
credentials which is a domain username and password in this case. 


Problem: 

Each time the L.N.S.S process ( lnss.exe ) is loaded to do scan or deployment 
job by use of saved credentials , it's possible to read saved username & 
password instantly from the memory space of the process, because L.N.S.S load 
them in memory as clear-text strings . By use of a simple-short code it's 
possible to dump both MS-SQL and DOMAIN username/passwords from local system . 
Notice that in order to access memory space of lnss process you should have 
enough privileges (usually local admin).
Although it makes the attack vector more limited, but does not reduce the risk 
level of this weakness because the attacker gains access to a domain-admin 
level account password in CLEAR-TEXT by use of a locally Privileged account . 
This could be used by a malicious code or by use of another remote 
vulnerability in the system. 


Exploit: 

Use your custom memory-dump code or any provided tool to dump memory space of 
the process.
"Prosess Memory Dumper" code  provided by KD-TEAM ( 
http://www.kd-team.com/tools/MemPDump.kd_team.rar )
can be easily customised to complete our mission . greets to DiabloHorn ;)

Vendor Response: 

Vendor has been notified for this weakness , and they confirmed it . but till 
time
they did not provided any patch or workaround for this weakness .

Workaround :

GFI should fix their code ASAP , and use encryption . but till that :

* Do NOT run the LNSS process in low privilaged accounts ( GFI's default is run 
as SYSTEM , keep it )
* Do NOT save your password ( at least domain-account used for scan ) in 
application.
* Try NOT to use "Alternative Credentials"  mode while using LNSS.

Credits: 
This Vulnerability has been discovered by Seyed Hamid 
Kashfi(hamid@xxxxxxxxxxxxx)

The original advisory could be found at: http://www.hat-squad.com/en/000160.html